We’re in a unique moment in history, where the negative consequences of organizations tracking our digital traffic are painfully clear. It’s certainly understandable that “security measures” can seem to many people more like intrusive surveillance than personal protection. But a lack of defenses will also have negative consequences for our safety and feeling of trust.

What can security professionals in higher ed do to maintain the balance between safety and privacy? Is it possible to maintain trust in the institution and yet enable users to explore safely?

The importance of context

Consider security and safety analogies in the physical realm such as security guards or checkpoints. Everyone has his or her own sense of what seems obtrusive and what is welcome. There are questions that can help predict where security measures will fall on the acceptable-to-intrusive continuum:

  • Is the area being secured… a personal area? a public space? a sensitive administrative department?
  • If the secured area is public, are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
  • Are the criteria decided fairly and applied equally? Are there effective methods to correct and augment the list quickly if there are errors or omissions?
  • Are records kept of everyone and everything that entered and exited this area?
  • Are security measures applied by an outside authority or can people apply it to protect themselves?

Generally speaking, public or personal areas are expected to operate with little to no proactive controls. As long as people have access to effective and timely reactive measures, a sense of safety can be maintained. Sensitive areas are expected to be under a certain amount of scrutiny, as long as that scrutiny is applied fairly and transparently.

How to maintain the balance between security and privacy

Context in action

In an educational environment, there are areas that must be publicly accessible and relatively unrestricted and areas that should remain private to the individuals or groups who use that space. There are also areas that should be tightly controlled, such as financial, healthcare and administrative information.

In areas that should be tightly controlled, there are few people who would take issue with closely monitoring activities and restricting users’ ability to perform activities outside those strictly required to do those necessary, sensitive tasks. The opposite extreme would be personal repositories or computers within housing areas of your network, which should have minimal monitoring or restriction. Most other systems, machines, and users fall somewhere in between.

About the Author:

As a security researcher for ESET, Lysa Myers focuses on providing practical analysis and advice of security trends and events. For nearly 20 years, she has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products.


Add your opinion to the discussion.